[strongSwan] Max OSX client
claude.tompers at restena.lu
Fri Mar 27 16:27:01 CET 2020
Thanks for your help to clean up my config. Everything works fine now. I
had to disable reauth and use rekey only.
It seems that after IKE_SA expiration, OSX can not access the client
certificate properly anymore to reauthenticate.
Have a nice weekend.
On 27/03/2020 07:38, Claude Tompers wrote:
> Hello Tobias,
> Thanks a lot for you remarks. I will review the config.
> kind regards,
> On 26/03/2020 17:11, Tobias Brunner wrote:
>> Hi Claude,
>>> Before diving deeper into logs etc. Do these connection settings look
>>> good to you ? Thinking of all sorts of timers.
>> There is lots of questionable stuff in that config.
>> That's quite low, in particular since you didn't change margintime and
>> rekeyfuzz (see  for what that means exactly).
>> That doesn't make much sense on a responder as it's unlikely it can
>> reach the client to reestablish the connection if it failed to
>> retransmit a message several times.
>> That's relatively low for mobile clients that might not be reachable for
>> a while. If you do that, consider changing the retransmission settings
>> so clients can be offline for a while .
>> Has no effect on IKEv2 SAs.
>> Same as dpdaction, makes not much sense on a responder for mobile clients.
>> This only makes sense if trap policies are used, otherwise no CHILD_SA
>> will exist after that (unless the client will reestablish the complete
>> connection immediately if the server terminates the CHILD_SA
>> unexpectedly, but what would the benefit be of that?).
>> Why did you set that longer than the IKE_SA lifetime? Also, refer to
>>  for details.
>> Consider reading up on reauthentication (especially in regards to IKEv2
>> responders) on .
>> Why would you disable MOBIKE on a connection for mobile roadwarriors?
>> It's exactly the use case this extension was designed for.
>>  https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
>>  https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 236 bytes
Desc: OpenPGP digital signature
More information about the Users